🧭 TimeProofs API
Send only a SHA-256 hash. Get back an ISO timestamp, an HMAC signature, and a public verify URL. Privacy-first. Edge-native. Zero blockchain.
🌐 Base URL
https://timeproofs-api.jeason-bacoul.workers.dev/apiProduction domain (planned): https://api.timeproofs.io
⚡ Endpoints
| Endpoint | Method | Description |
|---|---|---|
/timestamp | POST | Create a proof for a SHA-256 hash. |
/verify?hash=... | GET | Verify existence, timestamp, and server signature. |
⚙️ 30-second Quickstart
Hash locally (browser)
async function sha256HexFromText(str){
const enc = new TextEncoder().encode(str || '');
const buf = await crypto.subtle.digest('SHA-256', enc);
return [...new Uint8Array(buf)].map(b=>b.toString(16).padStart(2,'0')).join('');
}Request a timestamp
curl -X POST 'https://timeproofs-api.jeason-bacoul.workers.dev/api/timestamp' \
-H 'Content-Type: application/json' \
-d '{ "hash":"<your_sha256>", "type":"event", "meta": { "source":"docs" } }'Verify anywhere
curl 'https://timeproofs-api.jeason-bacoul.workers.dev/api/verify?hash=<your_sha256>'🧾 Create Proof — POST /timestamp
Request body
| Field | Type | Required | Description |
|---|---|---|---|
hash | string (64-hex) | Yes | SHA-256 of the content (computed your side). |
type | string | No | Optional label (e.g., prompt, gen, file, event). |
meta | object | No | Small JSON (model, mime, tags…). Keep it tiny. |
Example request
{
"hash": "e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855",
"type": "event",
"meta": { "model": "gpt-4o", "mime": "text/plain" }
}Example response
{
"ok": true,
"hash": "e3b0c4...",
"timestamp": "2025-01-15T12:34:56.789Z",
"signature": "hmac_sha256_over(hash+timestamp)",
"verify_url": "https://timeproofs-api.jeason-bacoul.workers.dev/api/verify?hash=e3b0..."
}Signature = HMAC-SHA256(secret, hash + timestamp) — secret kept server-side.
🧩 Verify Proof — GET /verify?hash={sha256}
Example response
{
"ok": true,
"found": true,
"hash": "e3b0c4...",
"timestamp": "2025-01-15T12:34:56.789Z",
"signature": "server_signature",
"first_seen": "2025-01-15T12:34:56.789Z",
"type": "event",
"meta": { "model": "gpt-4o" }
}Outcomes
| Case | Meaning |
|---|---|
ok=true & found=true | Valid proof with timestamp & signature. |
found=false | No proof recorded for this hash. |
ok=false | Malformed hash or internal error. |
🔑 Signature verification (server/client)
Recompute HMAC-SHA256(secret, hash + timestamp) and compare to signature. Matching values confirm authenticity and server timestamping.
Pseudocode
// secret: server-side key (never exposed)
// msg : hex(hash) + ISO8601(timestamp)
const expected = HMAC_SHA256(secret, msg);
assert(expected === signature);You can rely on /verify for zero-setup validation; offline verification coming later.
📈 Beta limits & rate-limiting
- Up to 1,000 proofs / month / IP (beta)
- Unlimited public verification
- No API key yet (Pro will add keys & quotas)
Abuse protection: minimal edge logs; we store only hashes + timestamp + signature (+ optional tiny meta).
🛠️ Errors
| HTTP | Description |
|---|---|
400 | Missing/invalid hash (must be 64-hex). |
404 | Proof not found. |
429 | Rate limit exceeded (beta safeguard). |
500 | Internal server error. |
📦 SDKs (coming soon)
JavaScript (browser & Node), then Python & Go. En attendant, utilisez HTTP + JSON comme ci-dessus.